Vulnerability Description
OpenClaw versions prior to 2026.2.22 contain an environment variable injection vulnerability in the system.run function that allows attackers to bypass command allowlist restrictions via SHELLOPTS and PS4 environment variables. An attacker who can invoke system.run with request-scoped environment variables can execute arbitrary shell commands outside the intended allowlisted command body through bash xtrace expansion.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openclaw | Openclaw | < 2026.2.22 |
Related Weaknesses (CWE)
References
- https://github.com/openclaw/openclaw/commit/e80c803fa887f9699ad87a9e906ab5c1ff85Patch
- https://github.com/openclaw/openclaw/security/advisories/GHSA-2fgq-7j6h-9rm4Vendor Advisory
- https://www.vulncheck.com/advisories/openclaw-remote-code-execution-via-shelloptThird Party Advisory
FAQ
What is CVE-2026-32003?
CVE-2026-32003 is a vulnerability with a CVSS score of 6.6 (MEDIUM). OpenClaw versions prior to 2026.2.22 contain an environment variable injection vulnerability in the system.run function that allows attackers to bypass command allowlist restrictions via SHELLOPTS and...
How severe is CVE-2026-32003?
CVE-2026-32003 has been rated MEDIUM with a CVSS base score of 6.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-32003?
Check the references section above for vendor advisories and patch information. Affected products include: Openclaw Openclaw.